January 23, 2019

OpenSSL – List Trusted Certificate Authorities

Unlike Microsoft Windows, which provides the Trusted Root Certification Authorities Certificate Store, Redhat and CentOS distributions do not provide a “straight forward” way in which to quickly check if a Certificate Authority is included into the Certificate Authority Bundle (CA Bundle).

During a recent project engagement I came across a simple CLI command which can be used to parse the CA bundle and list all of the CA’s included:

[m@srv /home/user]# awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt

Alternatively the same command can be ran, piped through grep to identify a specific CA, for example “Entrust” –

[m@srv /home/user]# awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt | grep Entrust

Whilst not complicated, this simple syntax saves a substantial amount of time manually searching CA bundles with a text editor.